Raashid Bhat

Malware Research Blog.

Read this first

A Guide to Malware Binary Reconstruction

Often we come across times where binary reconstruction while analyzing malware / unpacking malware is required . Taking leverage of automated tools is not always useful, sometimes manual reconstruction is required. In this blog we will cover up manual and automated binary reconstruction .

 Reconstructing IAT from stolen API code

This technique is used to hinder IAT construction after malware finishes unpacking its code, but first we need to understand how IAT is implemented in PE (portable executable).

 IAT basics

IAT (Import Address Table) is an internal structure in PE file . It consists of information to instruct windows loader to load and resolve dynamic link libraries and corresponding API function addresses. If you examine a PE file you will notice two pointers in the IMAGE_OPTIONAL_HEADER . One points to an internal structure IMAGE_IMPORTDESCRIPTOR a part of which further

Continue reading →


Notes On Vawtrak Banking Malware

Use of Heavens Gate technique for switching between 32bit and 64bit

Packed file is compressed and encrypted using several layers , discussing that would be irreverent here . At one point of time the a DLL is extracted which is actually installed and registered in an infected machine .
DLL happens to be a Component Object Model (COM) Binary DLL.

1.png

Entry point of the module is used for initialisation and sets some Named Events for checking an already running instance.

2.png

One important feature of Vawtrak is the use of Heavens gate for making 64bit calls though 32bit code . Basically in this technique , we make a far jump/call to segment 33h to land in 64bit environment under wow64 and segment 23h to come back to 32bit as mentioned here : http://vxheaven.org/lib/vrg02.html

As Vawtrak DLL comes in form of a 32bit PE file only . It makes heavy use of heavens gate to implement code

Continue reading →


How Cyber Criminals Use Malware To Mine LiteCoins

43227_dirty_old_gold_miner_finding_nuggets_in_his_tray.jpg

_009D0000.png

Recently I came across not so well known downloader trojan . While analysing many interesting things were revealed. Download starts by enumerating a specific list of mutexes opened by all process and if found that particular process is terminated .

FinalAnalysis.odt.png
FinalAnalysis.odt.png

Followed by generating Install ID and Installer Subroutine . Install ID is generated using a call to GetTickCount() API

3.png

4.png

It makes connections to a list of c2 server hardcoded in the binary itself . List may contain 2-3 c2 servers . URI is formatted in this way FOLDER/?user=[InstallID]&id=1&type=5&key=[randomly generated key]

key is generated using a sequence of (GetTickCount() * 1664525 ). This key is later on used to decode a payload sent by c2 server .

C2 replies with an encoded binary buffer . This Buffer is decoded using the same key mentioned above

5.png

To decode the payload , we will use a very nice 010 Editor Script

Continue reading →


Cutwail : Malware With a Crash Reporting Feature.

Cutwail Spam component is a part of PushDo Botnet . Recently I was analysing Cutwail and came across an interesting patch reporting functionality in Cutwail .

It starts with Fixing IAT ( Import Address Table ) to correct corresponding addresses . This is done because this component of PushDo is loaded and executed through process Tunnelling / RunPE method

blog.odt.png

blog.1.png

It also sets up MAC address and a UDP socket for communication . MAC address is packed into a single 4byte Integer

3.png

When a crash occurs a custom exception handler collects the related information in the following structure

#pragma pack(1)
struct Crashpacket
{
    DWORD MacAddress;
    struct _EXCEPTION_RECORD ExpRecord;
    struct CONTEXT ContextRecord;
    DWORD NoOfStackFramesRead;
    DWORD CallChainRecord[20];
};

MacAddress is retrieved from variable set earlier . _EXCEPTION_RECORD is an inbuilt structure which

Continue reading →


How to bypass Zeus Trojan’s self protection mechanism

h.jpg

 
Hacking spammers for Dummies


or

How to bypass Zeus Trojan’s self protection mechanism


Spammers are good when it comes to intimidating users to open the attachment . One of the recent pathetic and cruel one was

Hi

A Person from your office was found dead outside . Please open the picture to see if you know him .

Regards

Attachment is basically a Zip file consisting of an exe file named “image.scr” with a nice mspaint icon .

Quickly opening up in IDA will give us a hint that it is basically a VBpacker. VBPackers usually create a hallow suspended process , overwrite the memory and resume within .

h.jpg

After successfully unpacking and fixing the dump we get the following output

h.jpg

OEP the unpacked binary is enough to tell us that it is a Zeus Banking Trojan . Well this one is a different version of Zeus with self-protection which means unpacked ones

Continue reading →


Andromeda Gamarue Botnet Gets An Update

Recently I saw some spam emails exploiting an adobe PDF vulnerability ( thanks to Conrad Longmore ( https://twitter.com/ConradLongmore) )

upload.jpg

This PDF file seems to be exploiting CVE-2013-2729 vulnerability. The shellcode is small and simple . It just downloads the file from a server and executes it .

upload.jpg

After unpacking the file , analysis reveal that this is a new update for Andromeda - Gamarue botnet . The version is upgraded to 2.9 . Although there is no significant change in the Botnet , the version number from the request string has been removed

upload.jpg

upload.jpg

Raashid Bhat

http://twitter.com/raashidbhatt

Continue reading →


Understanding Neverquest Banking Trojan Polymorphic Engine

Neverquest packer uses polymorphic engine and junk code in its important subroutines. By using polymorphic engine to some extent static signature rules will fail. For example you can see the difference in between two main decoding subroutines

Untitled.jpg

The output of this subroutine is a LZ compressed buffer, which later on is submitted to APLIB decompression subroutine.

The main parts of this algorithm are*

1 :Key = variable length array of bytes rounded to 0 after list is exhausted

2 :Data Chunk Structure = variable length Array of structure defining length of block to be decoded +
pointer to that block

If we study the decoding algorithm we can fairly strip download the algorithm to a following simple
representation


IF CHUNKSIZE > COUNTER : REPEAT
OUPUT := DATACHUNK – KEYBYTE_AT_VARIABLE_DISTANCE

The main challenge with the algorithm is to get the base and the end of key . In some

Continue reading →


Stripping Upatre Trojan Downloader

Upatre is a trojan downloader widely used to download banking botnets . It recently started using compression and XOR encoding . Upatre comes with a custom packer . After unpacking real nasty evil code is revealed . Unpacking Upatre is little bit tricky . Following Blog post will show you how to unpack and rebuild Upatre.

This is what Upatre looks like when you open it up in a debugger .

Untitled.jpg

If we skip the decoding routine . We land at OEP which looks something like this.
[Untitled.jpg]

Untitled.jpg

Calls like CALL DWORD PRT SS :[EBP + 30] are windows API calls. Before jumping to the OEP all the API call addresses are pushed on to the stack . So building a IAT for this type of packer would be a tricky job .

 Tracing API calls.

For tracing the destination of all these indirect API calls made after OEP , we will parse a trace file . One thing to take care of is the installer and downloader . So we

Continue reading →

ssl yes